@andyhill:
you should not create the token on the user device, try this way:
1. User logged in with his device with your application.
2. Your applicationserver verified the user an generates a token. The server stores this token an the userid in a database (you can store here accesrights , too).
3. Your applicationserver sends back the token to the user device.
Now the communication loop for your application:
4. The userdevice sends with all connections the token to the server.
5. With the token the server can identify the user/device without password and username.
The token should have a short lifetime. You can generate a new token after each request of the client for some kind of "one-use-token".
Greetings
Ralf